Health Law Blog Sweden

ISSN: 2004-8955

Hacking your DNA? Some things to consider before buying a DNA test online

by Dr Andelka M. Phillips*

You can now buy almost anything online and this includes DNA tests. The direct-to-consumer genetic testing industry (aka DTC or personal genomics) has created a market for DNA tests as commercial services taking them outside of the healthcare system and into people’s homes.

Now an individual can buy a test with just a few clicks of a mouse. It is easy. You pay for the test online and the company sends a test kit in the mail. This normally requires the user to either give a saliva sample or a cheek swab. The consumer then sends the sample to the company and the company processes and analyses the sample and normally provides results through their web platform. This can include risk estimates for your likelihood of developing particular diseases, other traits, and several companies will also link people with potential relatives. The industry offers a diverse range of tests, but the most popular offerings are tests for ancestry and health. However, the tests offered are generally not standardised, which has led to consumers receiving contradictory results from different companies, which has in turn led to questions about the utility of such tests for individuals.

In this blog post, I hope to encourage you to think about some of the risks that these services pose and to highlight some of the issues to consider before you or a family member purchases a test. This is linked to the joint project with Professor Samuel Becher entitled ‘Fairness and Transparency in Emerging Health Markets: Protecting New Zealanders from the Risks of Personal Genomics’. We are extremely grateful to the Borrin Foundation for funding this project and the research was carried out in New Zealand. One of our outputs is an animated video aimed at the general public and in creating this, we have attempted to make something that will be relevant also to an international audience. You can watch the video here Before you buy DNA tests – things to consider and we do want to share this widely.

To begin with, we all share much of our DNA with our family members, which means that when one person has their data processed and stored by a personal genomics company, this does pose risks for family members. Although we share a lot of our DNA with our family, when a person undergoes genetic testing, this also reveals their unique genetic code. As your genetic data can be stored digitally and indefinitely, it means that this information can always be linked back to you and may be used in the future in ways that we cannot yet anticipate. An important point to note here is that you cannot change your genetic data, so when this data is leaked, it is much more problematic than when something goes wrong with a bank account. You can change your bank PIN number, but you cannot change your genetic data.

Many of the risks we mention in the video and accompanying papers relate to privacy and how personal and genetic data can be used, but we also highlight the problems relating to the reliance by the industry on their online contracts and privacy policies to govern relationships with consumers. This is particularly problematic in this specific context, because people often disregard these documents and treat them in the same manner as they would treat them in other online contexts. Other scholars and entities have also expressed concern about the DTC industry’s terms with one example being the Norwegian Consumer Council’s complaint about MyHeritage’s Terms and Conditions to both the Norwegian Consumer Authority and the Norwegian Data Protection Authority.[1]

While Sweden does have free health insurance and consequently the concern we mention about this potentially impacting health insurance may be less problematic, there are other possibilities for how this data may be used that could still be concerning for Swedish consumers and also European consumers more generally.

It is also important to recognise the international nature of this industry. Some of the most prominent market leaders in this space are based in the US and although companies may have European offices, often samples will be sent across national borders and personal data including sensitive genetic data may be stored in countries other than where the consumer is based. Much of the value for businesses operating in this space can be found in the accumulation of data from a large number of consumers and using that data in secondary research. The industry has been characterised by partnerships and mergers, with 23andMe entering at least 14 partnerships with the pharmaceutical industry[2] before it merged with Virgin[3], while competitor Ancestry was purchased by Blackstone.[4]

It is hoped that one recent example will show why this post is timely and raise awareness of the need to give more consideration to how these businesses operate. The example is the recent data breach at 23andMe, which has demonstrated the scale at which consumers’ privacy may be impacted. While 23andMe did make an announcement in October 2023 they were slow to reveal what had happened. They also attempted soon after the announcement to limit customers’ opportunities for redress by altering their terms.[5]

It has since emerged (in December 2023) that 6.9 million of 23andMe’s customers have been impacted, which represents almost half of its total number of customers.[6] This breach is concerning for a number of reasons, but one element that should be highlighted is that it did involve racial targeting, with customers with Chinese and Ashkenazi Jewish ancestry being specifically targeted[7] and it has also emerged that one hacker offered to sell the ‘names, addresses, and genetic heritage’ of 1 million consumers through the dark web.[8] As a consequence of this breach, 23andMe is now facing ‘more than 30 lawsuits’.[9] This includes class actions now pending in both the USA and Canada.[10] The recent US filing states that sensitive information of 23andMe’s customers was accessed and leaked and this included ‘users’ genetic heritage, ancestral origin, full names, home addresses, profile pictures, and birth dates.’[11]

The variety of personal information which has been accessed here poses real risks not just for privacy, but for the physical safety of individuals and their families. It also means that those impacted could be vulnerable to identity theft and other crimes. As these cases are ongoing, we cannot know what the outcome will be, but at the very least, perhaps it will increase awareness of the risks posed by this industry and it is hoped that it will force the industry to improve its cyber security and its behaviour.

As we have recommended previously, there is a real need for improved governance and oversight of this industry at national and international levels. In light of the recent data breach, it is vital to improve cyber security & data protection practices across the industry and also to improve contracts and privacy policies in this context. Please see our related papers for more policy recommendations.

Project details:

This blog is linked to the project: ‘Fairness and Transparency in Emerging Health Markets: Protecting New Zealanders from the Risks of Personal Genomics’, which has two recent op-eds and a book chapter linked to it. Please watch our video Before you buy DNA tests – things to consider (https://youtu.be/wy5NILzn8ZE)

Researchers:

Dr Andelka M. Phillips is an academic and writer currently based in New Zealand and an Academic Affiliate, Centre for Health, Law and Emerging Technologies (HeLEX), University of Oxford and Affiliate with the Bioethics Institute Ghent (BIG), Ghent University. Links: https://www.andelkamphillips.com; https://www.law.ox.ac.uk/people/andelka-phillips; https://www.bioethics.ugent.be/our-people/andelkamphillips/

Professor Samuel Becher is a Professor of Law at Victoria University of Wellington, New Zealand. Link: https://people.wgtn.ac.nz/samuel.becher

Publications:

Samuel I Becher and Andelka M. Phillips, ‘Data Rights and Consumer Contracts: The Case of Personal Genomic Services’ in Damian Clifford, Jeannie Paterson & Kwan Ho Lau (eds), Data Rights and Private Law (Hart Publishing, 14 December 2023)

Andelka M. Phillips and Samuel Becher, ‘At-home DNA tests just aren’t that reliable – and the risks may outweigh the benefits’ (https://theconversation.com/at-home-dna-tests-just-arent-that-reliable- and-the-risks-may-outweigh-the-benefits-194349) The Conversation (29 November 2022)

Samuel Becher and Andelka M. Phillips, ‘DNA Testing is Not “Just Saliva”’ https://www.theregreview.org/2023/01/09/becher-phillips-dna-testing-is- not-just-saliva/The Regulatory Review (9 January 2023)


* Academic Affiliate, Centre for Health, Law and Emerging Technologies (HeLEX), University of Oxford and Affiliate with the Bioethics Institute Ghent (BIG), Ghent University.

[1] Forbrukerrådet – Norwegian Consumer Council, ‘The Norwegian Consumer Council reports MyHeritage for unlawful terms and conditions’ (11 March 2020) https://www.forbrukerradet.no/side/the-norwegian-consumer-council-reports-myheritage-for-unlawful-terms-and-conditions/ ; see also Order to provide information – Complaint against MyHeritage Ltd – Unclear Privacy Policy https://www.datatilsynet.no/contentassets/dfec2e3e993843f396c5dff4849145dc/order-to-provide-information—myheritage-ltd.pdf

[2] Andelka M. Phillips and Samuel Becher, ‘At-home DNA tests just aren’t that reliable – and the risks may outweigh the benefits’ (https://theconversation.com/at-home-dna-tests-just-arent-that-reliable- and-the-risks-may-outweigh-the-benefits-194349) The Conversation (29 November 2022)

[3] 23andMe, ‘23andMe to Merge with Virgin Group’s VG Acquisition Corp. to Become Publicly-Traded Company Set to Revolutionize Personalized Healthcare and Therapeutic Development through Human Genetics’ Press Release (4 February 2021) https://investors.23andme.com/news-releases/news-release-details/23andme-merge-virgin-groups-vg-acquisition-corp-become-publicly

[4] Blackstone, ‘Blackstone Completes Acquisition of Ancestry®, Leading Online Family History Business, for $4.7 Billion’ (4 December 2020) https://www.blackstone.com/news/press/blackstone-completes-acquisition-of-ancestry-leading-online-family-history-business-for-4-7-billion/

[5] Jacob Knutson, ‘23andMe changes terms of service amid legal fallout from data breach’ AXIOS (updated 6 December 2023) https://www.axios.com/2023/12/07/23andme-terms-of-service-update-data-breach#

[6] M DeGuerin, ‘Hackers got nearly 7 million people’s data from 23andMe. The firm blamed users in ‘very dumb’ move’ The Guardian (15 February 2024)

https://www.theguardian.com/technology/2024/feb/15/23andme-hack-data-genetic-data-selling-response

[7] Rebecca Carballo, Emily Schmall and Remy Tumin, ‘23andMe Breach Targeted Jewish and Chinese Customers, Lawsuit Says’ The New York Times (26 January 2024) https://www.nytimes.com/2024/01/26/business/23andme-hack-data.html

[8] Rebecca Carballo, Emily Schmall and Remy Tumin, ‘23andMe Breach Targeted Jewish and Chinese Customers, Lawsuit Says’ The New York Times (26 January 2024) https://www.nytimes.com/2024/01/26/business/23andme-hack-data.html

[9] Lorenzo Franceschi-Bicchierai, ‘23andMe tells victims it’s their fault that their data was breached’ TechCrunch (4 January 2024) https://techcrunch.com/2024/01/03/23andme-tells-victims-its-their-fault-that-their-data-was-breached/?guccounter=1&guce_referrer=aHR0cHM6Ly9kdWNrZHVja2dvLmNvbS8&guce_referrer_sig=AQAAAMpE3ccoyxFVV9HMj948CohNU-tbGmY4KqSgQcdru91-ZPG5_uGXKoBF1h-PhPklHnox1zp43INWBI-tFna2QsU6brg_t_0V_hUu93Baf3RuIB2q4LgJv_aj_7NQCYLV2iyE6SVUH4vKoAmhUC1GVfYVvlMHVxANdAfum_sJ2FrZ

[10] Alison Frankel, ‘As 23andMe goes to mediation in hacked DNA case, plaintiffs’ firm warns of collusion’ Reuters (31 January 2024) https://www.reuters.com/legal/legalindustry/column-23andme-goes-mediation-hacked-dna-case-plaintiffs-firm-warns-collusion-2024-01-30/ ; see filing Motion to Appoint Interim Leadership – David Melvin and J.L v 23andMe Inc Case No. 24-cv-00487-SK – hearing date set at 4th March 2024 https://fingfx.thomsonreuters.com/gfx/legaldocs/gkvlddmwnvb/frankel-23andMedatabreach–Edelsonleadcounsel.pdf ; KND Complex Litigation, ‘23andME CANADIAN CONSUMER DATA BREACH CLASS ACTION’ CISION (20 December 2023) – case J. R. v 23andMe Holding Co et al, Vancouver Registry, S-237147 https://www.newswire.ca/news-releases/23andme-canadian-consumer-data-breach-class-action-843706435.html

[11] filing Motion to Appoint Interim Leadership – David Melvin and J.L v 23andMe Inc Case No. 24-cv-00487-SK at 4.

This entry was posted in

Posts Swedish Health Law